Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

ps x process

Discussion in 'General Discussion' started by lefteris, Feb 7, 2008.

  1. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    Dear All,
    Into my server i found 3-4 process with name ps x and it call PERL[defuct]
    can you please tell me what is this?

    Please can you give me some find (-switch) to search into my server for trojan.

    I have install chkroot and it not find anything.

    thank's
    lefteris
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    834
    Likes Received:
    28
    Trophy Points:
    178
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Such a switch does not exist. To track the perl processes, run 'lsof -p <pid> |more' and see where it's executing from, which is usually indicated in the first or second line of the output. If you don't recognize the location or its running from /tmp or /dev/shm, it's probably a hack process. Honestly it's normal for these to pop up on servers once in a while, usually caused by a vulnerable web application, but if it's running as root then be prepared to wipe your box down.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    hi again
    thank's for your answer

    i run the query and here is the result.

    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    perl 16023 nobody cwd DIR 8,5 4096 2 /
    perl 16023 nobody rtd DIR 8,5 4096 2 /
    perl 16023 nobody txt REG 8,3 1004382 1115085 /usr/bin/perl
    perl 16023 nobody mem REG 8,5 46680 131112 /lib/libnss_files-2.5.so
    perl 16023 nobody mem REG 8,5 125736 131286 /lib/ld-2.5.so
    perl 16023 nobody mem REG 8,5 1589908 131288 /lib/libc-2.5.so
    perl 16023 nobody mem REG 8,5 16428 132689 /lib/libdl-2.5.so
    perl 16023 nobody mem REG 8,5 208352 132692 /lib/libm-2.5.so
    perl 16023 nobody mem REG 8,5 27736 132695 /lib/libcrypt-2.5.so
    perl 16023 nobody mem REG 8,5 101404 132694 /lib/libnsl-2.5.so
    perl 16023 nobody mem REG 8,3 16278 1245551 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    perl 16023 nobody mem REG 8,5 76400 132693 /lib/libresolv-2.5.so
    perl 16023 nobody mem REG 8,5 21788 131110 /lib/libnss_dns-2.5.so
    perl 16023 nobody mem REG 8,3 22792 1245450 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    perl 16023 nobody mem REG 8,5 15164 132696 /lib/libutil-2.5.so
    perl 16023 nobody mem REG 8,3 56405424 1018184 /usr/lib/locale/locale-archive
    perl 16023 nobody 0r CHR 1,3 1359 /dev/null
    perl 16023 nobody 1w FIFO 0,6 3504727594 pipe
    perl 16023 nobody 2w REG 8,3 3457114 1640504 /usr/local/apache/logs/error_log~ (deleted)


    I try to find something but nothing.
    in the netstat i see IRC connection , so i believe it;s a bot.
    but how can i kill and remove it?
     
  4. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    834
    Likes Received:
    28
    Trophy Points:
    178
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Take the PID, which in your case is 16023 and kill it:


    kill -9 16023
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    i do it but in anytime the file is running again

    i cannot find the file
     
  6. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    The same problem again

    I kill the proccess but it's running again after 2-3 hours
     
  7. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    151
    please can you explain to me?

    [10:26:10] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
    [10:26:10] /usr/bin/groups [ Warning ]
    [10:26:10] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    [10:26:12] /usr/bin/perl [ Warning ]
    [10:26:12] Warning: Write permission is set on file '/usr/bin/perl' for all users.
    [10:26:14] /usr/bin/wget [ Warning ]
    [10:26:14] Warning: Write permission is set on file '/usr/bin/wget' for all users.
    [10:26:15] /usr/bin/whatis [ Warning ]
    [10:26:15] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    [10:26:16] /sbin/ifup [ Warning ]
    [10:26:16] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

    and how can i fix it?
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice